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DETAILED ACTION 

Claims 1-19 and 24-27 are pending. 

This Office Action is in response to pre-appeal decision dated 4/2/2008. See response to arguments. 
Rejections based on the newly cited reference(s) follow. 

Below, Examiner has pointed out particular references contained in the prior art(s) of record in 
the body of this action for the convenience of the applicant. Although the specified citations are 
representative of the teachings in the art and are applied to the specific limitations within the 
individual claims, other passages and figures may apply as well. Applicant should consider the entire 
prior art as applicable as to the limitations of the claims. It is respectfully requested from the 
applicant, in preparing the response, to consider fully each reference in its entirety as potentially 
teaching all or part of the claimed invention, as well as the context of the passage as taught by the 
prior arts or disclosed by the examiner. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form the basis for the 
rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this 
country, more than one year prior to the date of application for patent in the United States. 

(e) the invention was described in (1 ) an application for patent, published under section 1 22(b), by another filed in the 
United States before the invention by the applicant for patent or (2) a patent granted on an application for patent by 
another filed in the United States before the invention by the applicant for patent, except that an international application 
filed under the treaty defined in section 351 (a) shall have the effects for purposes of this subsection of an application 
filed in the United States only if the international application designated the United States and was published under 
Article 21(2) of such treaty in the English language. 
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1. Claims 1-3, and 24-26 are rejected under 35 U.S.C. 102(b) as being anticipated by Kuo et al. 
(US 6,230,288), hereafter "Kuo". 

Considering Claims 1 and 24, Kuo discloses a computer-implemented method for determining 
whether computer code contains malicious code (abstract), said method comprising the steps of: 
identifying computer code suspected of currently containing malicious code (Fig. 2, column 6- lines 
32-44); optimizing the identified computer code to produce optimized code (Fig. 2, column 5- lines 19- 
38); subjecting the optimized code to a malicious code detection protocol (Fig. 2, column 7- lines 35- 
38); and responsive to the malicious code detection protocol detecting malicious code in the 
optimized code (Fig. 2- column 7- lines 35-38), declaring a confirmation that the computer code 
contains malicious code (Fig. 2- column 7- lines 35-46). 

Considering Claims 2 and 25, Kuo discloses the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning (column 7- lines 35-46). 

2. Claims 1-4, 14-19, and 24-26 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Christodorescu et al. (US 2005/0028002), hereafter "Christodorescu". 

Considering Claims 1 and 24, Christodorescu discloses a computer-implemented method for 
determining whether computer code contains malicious code (abstract), said method comprising the 
steps of: identifying computer code suspected of currently containing malicious code ([001 1]); 
optimizing the identified computer code to produce optimized code ([001 1]); subjecting the optimized 
code to a malicious code detection protocol ([001 1]-[0028]); and responsive to the malicious code 
detection protocol detecting malicious code in the optimized code ([0011]-[0031]), declaring a 
confirmation that the computer code contains malicious code ([0011], [0031]). 
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Considering Claims 2 and 25, Christodorescu discloses the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning ([0027]). 

Considering Claims 3 and 26, Christodorescu discloses the optimizing step comprises 
performing at least one technique from the group of techniques consisting of constant folding, copy 
propagation, non-obvious dead code elimination, code motion, peephole optimization, abstract 
interpretation, instruction specialization, and control flow graph reduction ([001 1]-[0028]). 

Considering Claim 4, Christodorescu discloses at least two of said techniques are combined 
synergistically ([001 1]-[0028]) 

Considering Claim 14, Christodorescu discloses optimizing the computer code to produce 
optimized code comprises: performing a forward pass operation ([0017], [0019], [0020], [0023]; 
performing a backward pass operation ([0018], [0021]); performing a control flow graph reduction 
([0044]-[0045]); and iterating the above three steps a plurality of times ([0044]-[0046]). 

Considering Claim 15, Christodorescu discloses the iteration of the three steps stops after 
either: a pre-selected number of iterations; or observing that no optimizations of the computer code 
were performed in the most recent iteration ([0060]-[0065], Fig. 2). 

Considering Claim 16, Christodorescu discloses the step of performing a code motion 
procedure, wherein the four steps are iterated a plurality of times ([001 8], [0024]). 

Considering Claim 17, Christodorescu discloses the forward pass operation comprises one or 
more steps from the set consisting of: peephole optimization; constant folding; copy propagation; 
forward computations related to abstract interpretation; and instruction specialization ([001 1]-[0028]). 
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Considering Claim 18, Christodorescu discloses the backward pass operation comprises one 
or more steps from the set consisting of backward computations related to abstract interpretation and 
local dead code elimination ([0018], [0021]). 

Considering Claim 19, Christodorescu discloses the backward pass operation comprises the 
additional step of global dead code elimination ([0021]). 

3. Claim 27 is rejected under 35 U.S.C. 102(e) as being anticipated by Teblyashkin et al. (US 
7,266,844), hereafter "Teblyashkin". 

Considering Claim 27, Teblyashkin discloses a method for determining whether computer 
code contains malicious code (abstract), said method comprising the steps of: performing a dead 
code elimination procedure on the computer code (column 1- lines 31-38); noting the amount of dead 
code eliminated during the dead code elimination procedure (column 1- lines 39-42); and when the 
amount of dead code eliminated during the dead code elimination procedure exceeds a preselected 
dead code threshold (column 1- lines 43-62), declaring a suspicion of malicious code in the computer 
code (column 1- lines 39-42). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections 
set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 
102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the 
subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

4. Claims 5-13 are rejected under 35 U.S.C. 103(a) as being unpatentable over Christodorescu 
in view of Nachenberg (US 5,826,013), hereafter "Nachenberg". 



Application/Control Number: 10/763,673 Page 6 

Art Unit: 2135 

Considering Claim 6, Christodorescu discloses a computer-implemented method for 
determining whether computer code contains malicious code (abstract), said method comprising the 
steps of: identifying computer code suspected of currently containing malicious code ([001 1]), the 
computer code having a decryption loop and a body ([0006], [0009]), and responsive to the malicious 
code detection procedure detecting malicious code in the optimized loop code or the malicious code 
detection protocol detecting malicious code in the optimized body code ([001 1]-[0028]), declaring a 
confirmation that the computer code contains malicious code ([0011], [0031]). 
Christodorescu does not explicitly disclose optimizing the decryption loop to produce optimized loop 
code; performing a malicious code detection procedure on the optimized loop code; optimizing the 
body to produce optimized body code; subjecting the optimized body code to a malicious code 
detection protocol; Christodorescu suggests that both the loop and body of the suspected computer 
code are optimized ([0009], [001 1]). 

The combination of Christodorescu and Nachenberg discloses optimizing the decryption loop to 
produce optimized loop code (Nachenberg- column 1- lines 63-67, column 2- lines 1-25, 
Christodorescu- [001 1]); performing a malicious code detection procedure on the optimized loop code 
(Christodorescu- [001 1]); optimizing the body to produce optimized body code (Nachenberg- column 
1- lines 63-67, column 2- lines 1-25, Christodorescu- [001 1]); subjecting the optimized body code to a 
malicious code detection protocol (Christodorescu- [001 1]). 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Christodorescu by treating the loop code and body 
code separately as taught by Nachenberg in order to provide polymorphic virus detection systems 
that can be readily expanded to cover newly discovered viruses, without need for extensive 
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regression testing and modification of the heuristics of the emulation control module. In addition, the 
system should be able to provide accurate results without emulating unnecessarily large numbers of 
instructions (Nachenberg- column 2- lines 44-50). 

Considering Claim 5, Christodorescu does not explicitly disclose the computer code is 
polymorphic code comprising a decryption loop and a body; and the optimizing step comprises 
optimizing just the decryption loop. Christodorescu suggests that both the loop and body of the 
suspected computer code are optimized ([0009], [0011]). 

The combination of Christodorescu and Nachenberg discloses polymorphic code comprising a 
decryption loop and a body; and the optimizing step comprises optimizing just the decryption loop 
(Nachenberg- column 1- lines 63-67, column 2- lines 1-25, Christodorescu- [001 1]). 

Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the teachings of Christodorescu by treating the loop code and body 
code separately as taught by Nachenberg in order to provide polymorphic virus detection systems 
that can be readily expanded to cover newly discovered viruses, without need for extensive 
regression testing and modification of the heuristics of the emulation control module. In addition, the 
system should be able to provide accurate results without emulating unnecessarily large numbers of 
instructions (Nachenberg- column 2- lines 44-50). 

Considering Claim 7, the combination discloses the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning (Christodorescu- [0027]). 

Considering Claim 8, the combination discloses the optimizing step comprises performing at 
least one technique from the group of techniques consisting of constant folding, copy propagation, 
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non-obvious dead code elimination, code motion, peephole optimization, abstract interpretation, 
instruction specialization, and control flow graph reduction (Christodorescu- [001 1]-[0028]). 

Considering Claim 9, the combination discloses the step of optimizing the body comprises 
using at least one output from the group of steps consisting of optimizing the decryption loop and 
performing a malicious code detection procedure on the optimized loop code (Christodorescu- [001 1], 
Nachenberg- column 3- lines 35-53). 

Considering Claim 10, the combination discloses the step of performing a malicious code 
detection procedure on the optimized loop code indicates the presence of malicious code in the 
computer code, the steps of optimizing the body and subjecting the optimized body code to a 
malicious code detection protocol are aborted (Christodorescu-[0031]). 

Considering Claim 11, the combination discloses the additional step of, after the step of 
performing a malicious code detection procedure on the optimized loop code, revealing an encrypted 
body (Nachenberg- column 6- lines 10-31). 

Considering Claim 12, the combination discloses the step of revealing an encrypted body 
comprises emulating the optimized loop code (Nachenberg- column 6- lines 10-31). 

Considering Claim 13, the combination discloses the step of revealing an encrypted body 
comprises applying a key gleaned from the optimized loop code (Nachenberg- column 5- lines 52-61 , 
column 6- lines 10-31). 



Response to Arguments 

The decision to reopen prosecution was based on the previously cited art failing to teach 
"noting the amount of dead code eliminated during the dead code elimination procedure; and wherein 
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the amount of dead code eliminated during the dead code eliminated procedure exceeds a pre- 
selected dead code threshold." 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to RANDAL D. MORAN whose telephone number is (571)270-1255. The 
examiner can normally be reached on M-F: 7:00 - 4:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kim Vu can be reached on 571-272-3859. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished applications is available 
through Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information system, call 800- 
786-9199 (IN USA OR CANADA) or 571-272-1000. 

/R. D. M./ 

Examiner, Art Unit 2135 

6/20/2008 

/KimYen Vu/ 

Supervisory Patent Examiner, Art Unit 2135 



